Tuesday, July 20, 2010

I've never been big on entering competitions, mostly because maths gets in the way. You do a quick calculation on the odds of winning anything of note and realise your time is better spent working to actually earn some money the old-fashioned way.

It was rather a surprise to learn that I'd been shortlisted on the Forensic4Cast awards as Digital Investigator of the Year. It was even more surprising to win it! I would have loved to have been in Washington for the award ceremony but there we go.

Anyway, thanks to Forensic4Cast and everyone that voted for me, I'm over the moon, and looking forward to getting the award.

Thanks also to my makeup artist, my parents for all their hard work and Yoda for sticking with me throughout my Jedi training. I may cry.

Wednesday, May 12, 2010

Acquisition of OS X RAM is a bit of a holy grail of memory analysis, quite simply because no-one has done it, or has admitted to it. It is always good form to realize that whatever we think of as secure has probably been undermined by Dark Forces working from bunkers under grassy fields, or desert, or tundra depending on your Government Agency of choice.

In Leopard there were some significant weaknesses in OS X RAM, well researched and documented by Dai Zovi (We're not worthy!) who demonstrated in 2009 a number of different attacks on the OS through the poorly implemented memory stack which enabled heap allocated memory to be executable, unlike Vista/7 etc - Windows more secure - who knew!!

Snow Leopard with its 64bit architecture has gone a long way to solve that. But with the incredible amount of information available from a Windows RAM dump it would be great to achieve the same from a Mac. Work has been done with DMA (Direct Memory Access) via Firewire which can theoretically work and some researchers had some success with Leopard but its all gone quiet with Snow Leopard. So where does that leave us?

Well, unless you are prepared to freeze the chips you need to acquire the RAM whilst the machine is live. On a Linux machine you can simply dd /dev/mem and /dev/kmem but no such luck with OS X.

For the time being our best bet is the OS X counterpart of hiberfil.sys. In Windows hiberfil is a file generated in the root of C when the PC is put into hibernate state. The resulting file can be converted into a raw RAM dump using either tools from Matthieu Suiche with the Sandman project or the version produced for Volatility. OS X has a similar file called sleepimage. You can see if your Mac has one at the moment by doing the following:-

Open terminalType - cd /var/vmType - ls

If your machine has been hibernated you should see a sleepimage file with a file size that is the same as your RAM.

If you come up against a running Mac and will be seizing it then it is possible to force the machine to create the sleepimage file.

Suggested 'Forensic' methodology:-

Open TerminalType - sudo pmset –a hibernatemode 1

When you shut the lid it now creates a hibernate file and shuts machine down rather than putting it into sleep mode. The problem is that it will likely ask for the admin password. You could run MacLockpick which will extract the Keychain and possibly give you the password you need.

Next, you need to set it back - sudo pmset –a hibernatemode 3

Shut the lid, take the machine.

Now simply image the drive as normal and extract the sleepimage file and analyze.

If you were doing a live data acquisition or search of the machine it is simply the case of plugging in a USB drive and typing:-

sudo cp /var/vm/sleepimage /Volumes/USBkey (Where USBKey is the name of your drive.)

Now the problems:-

Changing the hibernatemode makes a technical change to the machine.The technique forces you to shut the machine down which is no good if you want the RAM live whilst leaving the machine running.There are currently no tools available for the analysis of the sleepimage. The tools we use for Windows RAM analysis such as Volatility, Foremost, Memoryze etc do not work. Get coding!

This post is not desperately useful as it just explains how to get a pseudo-Ram dump out, what you then do with it is up to you. If you figure anything out I'd love to hear about it!

Monday, April 12, 2010

Well I'm doing what thousands of bloggers will do in the next few weeks and writing a post about their shiny new iPad whilst writing it on said device. And here it is. An iPad. It's thin, fairly weighty and I feel like a very small person in a Lilliputian universe typing on an iPhone.

The iPad box arrived via DHL from the US the day after release and the family sat down for the social and yet rather sensual task of unwrapping an Apple product. The top slid off with a satisfying whooshing sound, possibly in my mind, and there it was, covered by the familiar cellophane wrapping, a big iPhone. I unwrapped it and held the big iPhone in my hands. It felt like it wanted to be dropped, slim and too slippy until I discovered the Apple sign on back in more grippy material which just a finger on makes it feel more secure.

Plug it into the Mac and turn it on. No iPhone\iPod clone here. Oh yes it is, just bigger icons. ooh and look you can swish your finger from page to page just like....umm my iPhone. First job, connect wifi, no issues here, straight on. Open Safari, key news.BBC.co.uk and .... Oh my goodness it looks fantastic. I spent the next half hour just browsing the web, especially news sites. No question, this is the best way to browse the web. It is so natural, so like holding a book, just sit on the sofa and read, sweeping between sites with ease. Sorry, if you wanted to hate the iPad, then never try browsing BBC news or The Times. It is just awesome.

Next I downloaded several new apps, the Epicurious recipe app, which is fantastic, the new accuweather app, beautiful, Real Racing HD for my son which is brilliant. I have to apologize but I just love this device.

Now seriously what "is it"? Is it a net book with no keyboard or a big iPhone? Simply neither. This is a new device, a perfect form factor for reviewing and browsing data. For producing data it is honestly a bit rubbish, the keyboard is ok and I can now type pretty fast but it's no replacement for a proper keyboard. I think I would happily write a few emails and if stuck on a plane with no laptop battery life I would write another blog post but it wouldn't be my first choice. However the last paragraph was written without editing or deleting mistakes and I think it's all ok.

Now what about battery life, Apple say 10 hours. I first charged this Thursday of last week in the evening, it got a pretty heavy hammering by the whole family including games and lots of browsing and kindle style book reading. It didn't go back on charge until Sunday evening which I think is pretty blooming brilliant. It's been off charge all day and been in use constantly for the past 3 hours and the battery life still shows 66%. Not bad. The battery got a real hammering at my local Apple store today, none of the guys there had seen an iPad and wanted me to pop in with it. It was interesting to see them having their photos taken with it, star status!

The other app I have is Air Sharing, this let's me set the iPad as a hard drive on my Mac. I can drag and drop files onto the iPad and review them on the go, very easy. I tend to carry a lot of research stuff, PDFs etc so this will be excellent. The reading size is perfect and with no boot time you can be reading your document in 5 secs.

I'm flying to Hong Kong next week and this will be my device of choice on the plane, I can read a book, very clear actually, watch a film, superb screen quality and play a few games, what else do you need sat still for 14 hours? Yes it is just a big iPhone but the form factor makes it a superb device, not a laptop, not an iPhone, it's an iPad.

Thursday, March 11, 2010

I've had some very good feedback about the Skypeex tool and I appreciate all your comments.

One or two have not really seen the point of the tool as there are plenty of Skype log viewers around such as from Nirsoft and Skypr. I will repeat what I posted on the LinkedIn discussion board.

"the Nirsoft tool, and others, are log viewers and this presupposes that you have access to the disk/logs. A covert live acquisition will often just take RAM and other volatile data, RAM may be taken before the plug is pulled only to discover that the disk is Full Disk Encrypted or that the logs are in a Truecrypt container. The user could even be using 'Portable Apps' Skype on a USB key which would mean no log files at all on the disk, however the data could still be in RAM.

This little tool is not meant to be a replacement for the excellent chat log viewers out there but provides a way of getting the data from RAM where circumstances dictate."

I'm working on an improved version where Strings isnt needed and hope to have that sorted in the next couple of weeks.

Tuesday, March 9, 2010

I’ve been teaching my RAM analysis course for about a year now and enjoy working with Volatility and some other open source tools. I’ve been making use of Jeff Bryners cool little Python script (http://www.jeffbryner.com/code/pdgmail) to extract Gmail artifacts and was motivated to do the same for Skype chat and any other Skype stuff that might be hanging around in a RAM dump.

The only problem was that, although I’ve done a bit of programming in the past, Python was a long hissy thing you wouldn’t want to meet on a dark night. Having gone through the pain of programming ‘Hello, world’, simple Pokemon text games for my lad and tedious maths exercises, I’ve actually managed to produce something meaningful.

The idea is to extract Skype chat lines with their associated meta-data, which includes timestamps, the Skype names in the conversation and the author etc.

The complete Skype line in RAM starts with the magic value ‘INTO Messages” followed by column headers then the values of the chat line including the chat body.

This is very much work in progress but will simply do the following:-

1. Run Strings against your RAM dump2. Run the Skypeex tool against the resulting Strings file3. It will carve out all the Skype chat lines it can see as well as trying to find and extract all the Skype sessions and ‘orphan’ chats that have been created.

It’s interesting to note that the latter process even seems to find the ‘spam’ message sessions that you sometimes receive.

This has been tested on dump files from Windows XP2 and XP3 with Skype 3.8 through 4.2.I don't currently have a Windows 7 box up and running, if anyone has one available please let me know.

Please do not hesitate to get in touch with ideas and improvements.

Usage:

There are 2 versions in the zip file.

skypeex.py is designed for use under Python 3.1.1 and above

skypeex26 is designed for use under Python 2.6

Due to changes with several commands between 2.6 and 3 they are not interchangeable, although the differences in this code are only in the input and print lines.For best testing results, have several Skype IM chats with friends and then image your RAM. On a windows box, use any tool to grab RAM (tested on Win XP SP2/3):

The output files will be written to the folder where the script is run from. The output is a CSV file with chats (incl headers) and a txt file with extracted skype sessions and carved orphan chats. Please expect many duplicates and some false positives.

In the CSV file the 'Timestamp' column is the date and time of the message in UNIX time. Sorting on this column gives you a timeline of messages. I'm writing a UNIX time decoder but it doesn't work yet.

This searches for the magic value, strips out the rubbish and returns the comma delimited values we are interested in. This includes:-

Chatname – the initiator and recipient of the session Timestamp – The time and data the message was sent in UNIX time Author – the sender of the message From_dispname – the screen name being used by the sender Body_xml – the body of the message, can slip into the chat_msg column GUID – session identifier

This time we look for the existence of the # and /$ characters in the same line. This refers to the pattern written to RAM of each Skype session, which looks like this:

#nfurneaux/$bennyboy1982;810b0fd9ef04db08

This shows the 2 persons in the Skype session with the first name being the initiator of the conversation. I’m still trying to figure out the hex value at the end, but it seems to be a GUID session number, any ideas let me know.

We are able to see the actual Skype name as well as the screen name being used during the session. The cool thing is that we also grab the next line with often includes actual chat associated with the recovered session. Hence we capture:-

Im just preparing to release a Skype RAM carver written in Python and I thought that my blog would be the best place to put it. However, I just checked it to make sure I remembered how to log in and noticed that my last blog was in Oct. This is a coincidence as Oct was the last time I went for a run! I was thinking that there was no correlation but actually, moving house, traveling all over the place and a very busy work 6 months has contributed to both.

Yesterday I went out with my lad and ran for 2.5 miles, including loads of up hill and was pretty surprised at my retained fitness, which is good, however my blogging looks in much worse shape.

It doesn't help that the eponymous Happy Monkey is regularly blogging fabulously funny and insightful ditties that anything I do will be put to shame. However, watch this space for a free, and rather cool, Skype Chat RAM Carver.

Contact details

About Me

I've been working with computers since my ZX81, closely followed by an Oric 1 (if anyone remembers those?). In the past 11 years I've been working in the area of computer forensic investigation and research in both the Law enforcement and Corporate worlds.
I have trained 100's of investigators in the past few years in the area of Live Forensics and RAM Analysis.
Lately I have been working with Law enforcement agencies across Europe and the USA in both an operational and training capacity.

Computer forensics is an evolving science with constantly developing tools and techniques. CSITech, led by Nick Furneaux, is striving to be at the forefront of these developments working on tools and techniques for the collection and analysis of volatile data for both the Law Enforcement and Corporate worlds.